ID CVE-2013-2067
Summary java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the relationships between authentication requirements and sessions, which allows remote attackers to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack.
References
Vulnerable Configurations
  • Apache Software Foundation Tomcat 6.0.21
    cpe:2.3:a:apache:tomcat:6.0.21
  • Apache Software Foundation Tomcat 6.0.24
    cpe:2.3:a:apache:tomcat:6.0.24
  • Apache Software Foundation Tomcat 6.0.26
    cpe:2.3:a:apache:tomcat:6.0.26
  • Apache Software Foundation Tomcat 6.0.27
    cpe:2.3:a:apache:tomcat:6.0.27
  • Apache Software Foundation Tomcat 6.0.28
    cpe:2.3:a:apache:tomcat:6.0.28
  • Apache Software Foundation Tomcat 6.0.29
    cpe:2.3:a:apache:tomcat:6.0.29
  • Apache Software Foundation Tomcat 6.0.30
    cpe:2.3:a:apache:tomcat:6.0.30
  • Apache Software Foundation Tomcat 6.0.31
    cpe:2.3:a:apache:tomcat:6.0.31
  • Apache Software Foundation Tomcat 6.0.32
    cpe:2.3:a:apache:tomcat:6.0.32
  • Apache Software Foundation Tomcat 6.0.33
    cpe:2.3:a:apache:tomcat:6.0.33
  • Apache Software Foundation Tomcat 6.0.35
    cpe:2.3:a:apache:tomcat:6.0.35
  • Apache Software Foundation Tomcat 6.0.36
    cpe:2.3:a:apache:tomcat:6.0.36
  • Apache Software Foundation Tomcat 7.0.0
    cpe:2.3:a:apache:tomcat:7.0.0
  • Apache Software Foundation Tomcat 7.0.0 beta
    cpe:2.3:a:apache:tomcat:7.0.0:beta
  • Apache Software Foundation Tomcat 7.0.13
    cpe:2.3:a:apache:tomcat:7.0.13
  • Apache Software Foundation Tomcat 7.0.5
    cpe:2.3:a:apache:tomcat:7.0.5
  • Apache Software Foundation Tomcat 7.0.6
    cpe:2.3:a:apache:tomcat:7.0.6
  • Apache Software Foundation Tomcat 7.0.21
    cpe:2.3:a:apache:tomcat:7.0.21
  • Apache Software Foundation Tomcat 7.0.32
    cpe:2.3:a:apache:tomcat:7.0.32
  • Apache Software Foundation Tomcat 7.0.18
    cpe:2.3:a:apache:tomcat:7.0.18
  • Apache Software Foundation Tomcat 7.0.30
    cpe:2.3:a:apache:tomcat:7.0.30
  • Apache Software Foundation Tomcat 7.0.15
    cpe:2.3:a:apache:tomcat:7.0.15
  • Apache Software Foundation Tomcat 7.0.23
    cpe:2.3:a:apache:tomcat:7.0.23
  • Apache Software Foundation Tomcat 7.0.2 beta
    cpe:2.3:a:apache:tomcat:7.0.2:beta
  • Apache Software Foundation Tomcat 7.0.1
    cpe:2.3:a:apache:tomcat:7.0.1
  • Apache Software Foundation Tomcat 7.0.20
    cpe:2.3:a:apache:tomcat:7.0.20
  • Apache Software Foundation Tomcat 7.0.17
    cpe:2.3:a:apache:tomcat:7.0.17
  • Apache Software Foundation Tomcat 7.0.14
    cpe:2.3:a:apache:tomcat:7.0.14
  • Apache Software Foundation Tomcat 7.0.10
    cpe:2.3:a:apache:tomcat:7.0.10
  • Apache Software Foundation Tomcat 7.0.11
    cpe:2.3:a:apache:tomcat:7.0.11
  • Apache Software Foundation Tomcat 7.0.2
    cpe:2.3:a:apache:tomcat:7.0.2
  • Apache Software Foundation Tomcat 7.0.4
    cpe:2.3:a:apache:tomcat:7.0.4
  • Apache Software Foundation Tomcat 7.0.3
    cpe:2.3:a:apache:tomcat:7.0.3
  • Apache Software Foundation Tomcat 7.0.28
    cpe:2.3:a:apache:tomcat:7.0.28
  • Apache Software Foundation Tomcat 7.0.12
    cpe:2.3:a:apache:tomcat:7.0.12
  • Apache Software Foundation Tomcat 7.0.4 beta
    cpe:2.3:a:apache:tomcat:7.0.4:beta
  • Apache Software Foundation Tomcat 7.0.25
    cpe:2.3:a:apache:tomcat:7.0.25
  • Apache Software Foundation Tomcat 7.0.16
    cpe:2.3:a:apache:tomcat:7.0.16
  • Apache Software Foundation Tomcat 7.0.7
    cpe:2.3:a:apache:tomcat:7.0.7
  • Apache Software Foundation Tomcat 7.0.19
    cpe:2.3:a:apache:tomcat:7.0.19
  • Apache Software Foundation Tomcat 7.0.22
    cpe:2.3:a:apache:tomcat:7.0.22
  • Apache Software Foundation Tomcat 7.0.9
    cpe:2.3:a:apache:tomcat:7.0.9
  • Apache Software Foundation Tomcat 7.0.8
    cpe:2.3:a:apache:tomcat:7.0.8
CVSS
Base: 6.8 (as of 03-06-2013 - 12:27)
Impact:
Exploitability:
CWE CWE-287
CAPEC
  • Authentication Abuse
    An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker. This attack may exploit assumptions made by the target's authentication procedures, such as assumptions regarding trust relationships or assumptions regarding the generation of secret values. This attack differs from Authentication Bypass attacks in that Authentication Abuse allows the attacker to be certified as a valid user through illegitimate means, while Authentication Bypass allows the user to access protected material without ever being certified as an authenticated user. This attack does not rely on prior sessions established by successfully authenticating users, as relied upon for the "Exploitation of Session Variables, Resource IDs and other Trusted Credentials" attack patterns.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Utilizing REST's Trust in the System Resource to Register Man in the Middle
    This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to place man in the middle once SSL is terminated. Rest applications premise is that they leverage existing infrastructure to deliver web services functionality. An example of this is a Rest application that uses HTTP Get methods and receives a HTTP response with an XML document. These Rest style web services are deployed on existing infrastructure such as Apache and IIS web servers with no SOAP stack required. Unfortunately from a security standpoint, there frequently is no interoperable identity security mechanism deployed, so Rest developers often fall back to SSL to deliver security. In large data centers, SSL is typically terminated at the edge of the network - at the firewall, load balancer, or router. Once the SSL is terminated the HTTP request is in the clear (unless developers have hashed or encrypted the values, but this is rare). The attacker can utilize a sniffer such as Wireshark to snapshot the credentials, such as username and password that are passed in the clear once SSL is terminated. Once the attacker gathers these credentials, they can submit requests to the web service provider just as authorized user do. There is not typically an authentication on the client side, beyond what is passed in the request itself so once this is compromised, then this is generally sufficient to compromise the service's authentication scheme.
  • Man in the Middle Attack
    This type of attack targets the communication between two components (typically client and server). The attacker places himself in the communication channel between the two components. Whenever one component attempts to communicate with the other (data flow, authentication challenges, etc.), the data first goes to the attacker, who has the opportunity to observe or alter it, and it is then passed on to the other component as if it was never intercepted. This interposition is transparent leaving the two compromised components unaware of the potential corruption or leakage of their communications. The potential for Man-in-the-Middle attacks yields an implicit lack of trust in communication or identify between two components.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-0964.NASL
    description Updated tomcat6 packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. A session fixation flaw was found in the Tomcat FormAuthenticator module. During a narrow window of time, if a remote attacker sent requests while a user was logging in, it could possibly result in the attacker's requests being processed as if they were sent by the user. (CVE-2013-2067) Users of Tomcat are advised to upgrade to these updated packages, which correct this issue. Tomcat must be restarted for this update to take effect.
    last seen 2017-10-29
    modified 2017-01-05
    plugin id 66949
    published 2013-06-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=66949
    title RHEL 6 : tomcat6 (RHSA-2013:0964)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-1437.NASL
    description The version of JBoss Enterprise Portal Platform on the remote system is affected by the following issues: - A flaw in CSRF prevention filter in JBoss Web could allow remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism via a request that lacks a session identifier. (CVE-2012-4431) - A flaw that occurs when the COOKIE session tracking method is used can allow attackers to hijack users' sessions. (CVE-2012-4529) - A flaw that occurs when multiple applications use the same custom authorization module class name can allow a local attacker to deploy a malicious application that overrides the custom authorization modules provided by other applications. (CVE-2012-4572) - The framework does not verify that a specified cryptographic algorithm is allowed by the WS-SecurityPolicy AlgorithmSuite definition before decrypting. This can allow remote attackers to force the system to use weaker cryptographic algorithms than intended and makes it easier to decrypt communications. (CVE-2012-5575) - A flaw in PicketBox can allow local users to obtain the admin encryption key by reading the Vault data file. (CVE-2013-1921) - A session fixation flaw was found in the FormAuthenticator module. (CVE-2013-2067) - A flaw that occurs when a JGroups channel was started results in the JGroups diagnostics service being enabled by default with no authentication via IP multicast. A remote attacker can make use of this flaw to read diagnostics information. (CVE-2013-2102) - A flaw in the StAX parser implementation can allow remote attackers to cause a denial of service via crafted XML. (CVE-2013-2160) - A flaw in Apache Santuario XML Security can allow context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak algorithm. (CVE-2013-2172) - A flaw in JGroup's DiagnosticsHandler can allow remote attackers to obtain sensitive information and execute arbitrary code by re-using valid credentials. (CVE-2013-4112) - A flaw in the manner in which authenticated connections were cached on the server by remote-naming can allow remote attackers to hijack sessions by using a remoting client. (CVE-2013-4128) - A flaw in the manner in which connections for EJB invocations were cached on the server can allow remote attackers to hijack sessions by using an EJB client. (CVE-2013-4213)
    last seen 2017-10-29
    modified 2014-05-02
    plugin id 72237
    published 2014-01-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72237
    title JBoss Portal 6.1.0 Update (RHSA-2013:1437)
  • NASL family Web Servers
    NASL id TOMCAT_7_0_33.NASL
    description According to its self-reported version number, the instance of Apache Tomcat 7.0 listening on the remote host is prior to 7.0.33. It is, therefore, affected by an error related to HTML form authentication and session fixation that allows an attacker to carry out requests using a victim's credentials. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
    last seen 2018-01-26
    modified 2018-01-24
    plugin id 66427
    published 2013-05-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=66427
    title Apache Tomcat 7.0.x < 7.0.33 Session Fixation
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2897.NASL
    description Multiple security issues were found in the Tomcat servlet and JSP engine : - CVE-2013-2067 FORM authentication associates the most recent request requiring authentication with the current session. By repeatedly sending a request for an authenticated resource while the victim is completing the login form, an attacker could inject a request that would be executed using the victim's credentials. - CVE-2013-2071 A runtime exception in AsyncListener.onComplete() prevents the request from being recycled. This may expose elements of a previous request to a current request. - CVE-2013-4286 Reject requests with multiple content-length headers or with a content-length header when chunked encoding is being used. - CVE-2013-4322 When processing a request submitted using the chunked transfer encoding, Tomcat ignored but did not limit any extensions that were included. This allows a client to perform a limited denial of service by streaming an unlimited amount of data to the server. - CVE-2014-0050 Multipart requests with a malformed Content-Type header could trigger an infinite loop causing a denial of service.
    last seen 2017-10-29
    modified 2015-11-06
    plugin id 73421
    published 2014-04-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=73421
    title Debian DSA-2897-1 : tomcat7 - security update
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2013-0964.NASL
    description From Red Hat Security Advisory 2013:0964 : Updated tomcat6 packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. A session fixation flaw was found in the Tomcat FormAuthenticator module. During a narrow window of time, if a remote attacker sent requests while a user was logging in, it could possibly result in the attacker's requests being processed as if they were sent by the user. (CVE-2013-2067) Users of Tomcat are advised to upgrade to these updated packages, which correct this issue. Tomcat must be restarted for this update to take effect.
    last seen 2017-10-29
    modified 2016-05-06
    plugin id 68838
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68838
    title Oracle Linux 6 : tomcat6 (ELSA-2013-0964)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-0834.NASL
    description Updated JBoss Enterprise Application Platform 6.1.0 packages that fix three security issues, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release serves as a replacement for JBoss Enterprise Application Platform 6.0.1, and includes bug fixes and enhancements. Refer to the 6.1.0 Release Notes for information on the most significant of these changes, available shortly from https://access.redhat.com/site/documentation/ Security fixes : XML encryption backwards compatibility attacks were found against various frameworks, including Apache CXF. An attacker could force a server to use insecure, legacy cryptosystems, even when secure cryptosystems were enabled on endpoints. By forcing the use of legacy cryptosystems, flaws such as CVE-2011-1096 and CVE-2011-2487 would be exposed, allowing plain text to be recovered from cryptograms and symmetric keys. (CVE-2012-5575) Note: Automatic checks to prevent CVE-2012-5575 are only run when WS-SecurityPolicy is used to enforce security requirements. It is best practice to use WS-SecurityPolicy to enforce security requirements. When applications running on JBoss Web used the COOKIE session tracking method, the org.apache.catalina.connector.Response.encodeURL() method returned the URL with the jsessionid appended as a query string parameter when processing the first request of a session. An attacker could possibly exploit this flaw by performing a man-in-the-middle attack to obtain a user's jsessionid and hijack their session, or by extracting the jsessionid from log files. Note that no session tracking method is used by default, one must be configured. (CVE-2012-4529) If multiple applications used the same custom authorization module class name, and provided their own implementations of it, the first application to be loaded will have its implementation used for all other applications using the same custom authorization module class name. A local attacker could use this flaw to deploy a malicious application that provides implementations of custom authorization modules that permit or deny user access according to rules supplied by the attacker. (CVE-2012-4572) Red Hat would like to thank Tibor Jager, Kenneth G. Paterson and Juraj Somorovsky of Ruhr-University Bochum for reporting CVE-2012-5575. CVE-2012-4572 was discovered by Josef Cacek of the Red Hat JBoss EAP Quality Engineering team. Warning: Before applying this update, back up your existing JBoss Enterprise Application Platform installation and deployed applications. Refer to the Solution section for further details. All users of JBoss Enterprise Application Platform 6.0.1 on Red Hat Enterprise Linux 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect.
    last seen 2017-10-29
    modified 2014-05-23
    plugin id 66522
    published 2013-05-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=66522
    title RHEL 6 : JBoss EAP (RHSA-2013:0834)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-0839.NASL
    description Updated JBoss Enterprise Application Platform 6.1.0 packages that fix three security issues, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release serves as a replacement for JBoss Enterprise Application Platform 6.0.1, and includes bug fixes and enhancements. Refer to the 6.1.0 Release Notes for information on the most significant of these changes, available shortly from https://access.redhat.com/site/documentation/ Security fixes : XML encryption backwards compatibility attacks were found against various frameworks, including Apache CXF. An attacker could force a server to use insecure, legacy cryptosystems, even when secure cryptosystems were enabled on endpoints. By forcing the use of legacy cryptosystems, flaws such as CVE-2011-1096 and CVE-2011-2487 would be exposed, allowing plain text to be recovered from cryptograms and symmetric keys. (CVE-2012-5575) Note: Automatic checks to prevent CVE-2012-5575 are only run when WS-SecurityPolicy is used to enforce security requirements. It is best practice to use WS-SecurityPolicy to enforce security requirements. When applications running on JBoss Web used the COOKIE session tracking method, the org.apache.catalina.connector.Response.encodeURL() method returned the URL with the jsessionid appended as a query string parameter when processing the first request of a session. An attacker could possibly exploit this flaw by performing a man-in-the-middle attack to obtain a user's jsessionid and hijack their session, or by extracting the jsessionid from log files. Note that no session tracking method is used by default, one must be configured. (CVE-2012-4529) If multiple applications used the same custom authorization module class name, and provided their own implementations of it, the first application to be loaded will have its implementation used for all other applications using the same custom authorization module class name. A local attacker could use this flaw to deploy a malicious application that provides implementations of custom authorization modules that permit or deny user access according to rules supplied by the attacker. (CVE-2012-4572) Red Hat would like to thank Tibor Jager, Kenneth G. Paterson and Juraj Somorovsky of Ruhr-University Bochum for reporting CVE-2012-5575. CVE-2012-4572 was discovered by Josef Cacek of the Red Hat JBoss EAP Quality Engineering team. Warning: Before applying this update, back up your existing JBoss Enterprise Application Platform installation and deployed applications. Refer to the Solution section for further details. All users of JBoss Enterprise Application Platform 6.0.1 on Red Hat Enterprise Linux 5 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect.
    last seen 2017-10-29
    modified 2017-01-05
    plugin id 66523
    published 2013-05-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=66523
    title RHEL 5 : JBoss EAP (RHSA-2013:0839)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20130620_TOMCAT6_ON_SL6_X.NASL
    description A session fixation flaw was found in the Tomcat FormAuthenticator module. During a narrow window of time, if a remote attacker sent requests while a user was logging in, it could possibly result in the attacker's requests being processed as if they were sent by the user. (CVE-2013-2067) Tomcat must be restarted for this update to take effect.
    last seen 2017-10-29
    modified 2014-03-02
    plugin id 66952
    published 2013-06-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=66952
    title Scientific Linux Security Update : tomcat6 on SL6.x (noarch)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-0833.NASL
    description The version of JBoss Enterprise Application Platform 6.0.1 running on the remote system is vulnerable to the following issues: - A man-in-the-middle attack is possible when applications running on JBoss Web use the COOKIE session tracking method. The flaw is in the org.apache.catalina.connector.Response.encodeURL() method. By making use of this, an attacker could obtain a user's jsessionid and hijack their session. (CVE-2012-4529) - If multiple applications used the same custom authorization module class name, a local attacker could deploy a malicious application authorization module that would permit or deny user access. (CVE-2012-4572) - XML encryption backwards compatibility attacks could allow an attacker to force a server to use insecure legacy cryptosystems. (CVE-2012-5575) - A NULL pointer dereference flaw could allow a malicious OCSP to crash applications performing OCSP verification. (CVE-2013-0166) - An OpenSSL leaks timing information issue exists that could allow a remote attacker to retrieve plaintext from the encrypted packets. (CVE-2013-0169) - The JBoss Enterprise Application Platform administrator password and the sucker password are stored in a world- readable, auto-install XML file created by the GUI installer. (CVE-2013-0218) - Tomcat incorrectly handles certain authentication requests. A remote attacker could use this flaw to inject a request that would get executed with a victim's credentials. (CVE-2013-2067)
    last seen 2017-10-29
    modified 2014-05-02
    plugin id 66971
    published 2013-06-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=66971
    title JBoss Enterprise Application Platform 6.1.0 Update (RHSA-2013:0833)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-1012.NASL
    description Red Hat JBoss Web Server 2.0.1, which fixes multiple security issues and several bugs, is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release serves as a replacement for Red Hat JBoss Web Server 2.0.0, and includes several bug fixes. Refer to the Red Hat JBoss Web Server 2.0.1 Release Notes for information on the most significant of these changes, available shortly from https://access.redhat.com/site/documentation/ The following security issues are also fixed with this release : Cross-site scripting (XSS) flaws were found in the Apache HTTP Server mod_proxy_balancer module's manager web interface. If a remote attacker could trick a user, who was logged into the manager web interface, into visiting a specially crafted URL, it would lead to arbitrary web script execution in the context of the user's manager interface session. (CVE-2012-4558) Cross-site scripting (XSS) flaws were found in the Apache HTTP Server mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp modules. An attacker could possibly use these flaws to perform XSS attacks if they were able to make the victim's browser generate an HTTP request with a specially crafted Host header. (CVE-2012-3499) A session fixation flaw was found in the Tomcat FormAuthenticator module. During a narrow window of time, if a remote attacker sent requests while a user was logging in, it could possibly result in the attacker's requests being processed as if they were sent by the user. (CVE-2013-2067) A denial of service flaw was found in the way the Tomcat chunked transfer encoding input filter processed CRLF sequences. A remote attacker could use this flaw to send an excessively long request, consuming network bandwidth, CPU, and memory on the Tomcat server. Chunked transfer encoding is enabled by default. (CVE-2012-3544) A flaw was found in the way the Tomcat 7 asynchronous context implementation performed request management in certain circumstances. If an application used AsyncListeners and threw RuntimeExceptions, Tomcat could send a reply that contains information from a different user's request, possibly leading to the disclosure of sensitive information. This issue only affected Tomcat 7. (CVE-2013-2071) Note: Do not install Red Hat JBoss Web Server 2 on a host which has Red Hat JBoss Web Server 1 installed. Warning: Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). All users of Red Hat JBoss Web Server 2.0.0 on Red Hat Enterprise Linux 6 are advised to upgrade to Red Hat JBoss Web Server 2.0.1. The JBoss server process must be restarted for this update to take effect.
    last seen 2018-07-01
    modified 2018-06-29
    plugin id 76238
    published 2014-06-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=76238
    title RHEL 6 : JBoss Web Server (RHSA-2013:1012)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201412-29.NASL
    description The remote host is affected by the vulnerability described in GLSA-201412-29 (Apache Tomcat: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Tomcat. Please review the CVE identifiers referenced below for details. Impact : A remote attacker may be able to cause a Denial of Service condition as well as obtain sensitive information, bypass protection mechanisms and authentication restrictions. Workaround : There is no known workaround at this time.
    last seen 2018-07-01
    modified 2018-06-29
    plugin id 79982
    published 2014-12-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79982
    title GLSA-201412-29 : Apache Tomcat: Multiple vulnerabilities
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1841-1.NASL
    description It was discovered that Tomcat incorrectly handled certain requests submitted using chunked transfer encoding. A remote attacker could use this flaw to cause the Tomcat server to stop responding, resulting in a denial of service. This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS. (CVE-2012-3544) It was discovered that Tomcat incorrectly handled certain authentication requests. A remote attacker could possibly use this flaw to inject a request that would get executed with a victim's credentials. This issue only affected Ubuntu 10.04 LTS, Ubuntu 12.04 LTS, and Ubuntu 12.10. (CVE-2013-2067) It was discovered that Tomcat sometimes exposed elements of a previous request to the current request. This could allow a remote attacker to possibly obtain sensitive information. This issue only affected Ubuntu 12.10 and Ubuntu 13.04. (CVE-2013-2071). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-07-01
    modified 2018-06-29
    plugin id 66670
    published 2013-05-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=66670
    title Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.04 : tomcat6, tomcat7 vulnerabilities (USN-1841-1)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2014-042.NASL
    description Updated tomcat6 packages fix security vulnerabilities : It was discovered that Tomcat incorrectly handled certain requests submitted using chunked transfer encoding. A remote attacker could use this flaw to cause the Tomcat server to stop responding, resulting in a denial of service (CVE-2012-3544). A frame injection in the Javadoc component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier; JavaFX 2.2.21 and earlier; and OpenJDK 7 allows remote attackers to affect integrity via unknown vectors related to Javadoc (CVE-2013-1571). A flaw was found in the way the tomcat6 init script handled the tomcat6-initd.log log file. A malicious web application deployed on Tomcat could use this flaw to perform a symbolic link attack to change the ownership of an arbitrary system file to that of the tomcat user, allowing them to escalate their privileges to root (CVE-2013-1976). It was discovered that Tomcat incorrectly handled certain authentication requests. A remote attacker could possibly use this flaw to inject a request that would get executed with a victim's credentials (CVE-2013-2067). Note: With this update, tomcat6-initd.log has been moved from /var/log/tomcat6/ to the /var/log/ directory.
    last seen 2018-07-01
    modified 2018-06-29
    plugin id 72595
    published 2014-02-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72595
    title Mandriva Linux Security Advisory : tomcat6 (MDVSA-2014:042)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2013-0964.NASL
    description Updated tomcat6 packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. A session fixation flaw was found in the Tomcat FormAuthenticator module. During a narrow window of time, if a remote attacker sent requests while a user was logging in, it could possibly result in the attacker's requests being processed as if they were sent by the user. (CVE-2013-2067) Users of Tomcat are advised to upgrade to these updated packages, which correct this issue. Tomcat must be restarted for this update to take effect.
    last seen 2018-07-03
    modified 2018-07-02
    plugin id 66965
    published 2013-06-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=66965
    title CentOS 6 : tomcat6 (CESA-2013:0964)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2013-633.NASL
    description Tomcat was updated to fix security issues and bug: CVE-2013-1976: Avoid a potential symlink race during startup of the tomcat server, where a local attacker that gaine access to the tomcat chroot could escalate privileges to root. CVE-2013-2067: java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat did not properly handle the relationships between authentication requirements and sessions, which allows remote attackers to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack. CVE-2012-3544: Tomcat were affected by a chunked transfer encoding extension size denial of service vulnerability. Also the following bug was fixed : - Fix tomcat init scripts generating malformed classpath (http://youtrack.jetbrains.com/issue/JT-18545) bnc#804992
    last seen 2018-07-01
    modified 2018-06-29
    plugin id 75107
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75107
    title openSUSE Security Update : tomcat (openSUSE-SU-2013:1307-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2725.NASL
    description Two security issues have been found in the Tomcat servlet and JSP engine : - CVE-2012-3544 The input filter for chunked transfer encodings could trigger high resource consumption through malformed CRLF sequences, resulting in denial of service. - CVE-2013-2067 The FormAuthenticator module was vulnerable to session fixation.
    last seen 2018-07-01
    modified 2018-06-29
    plugin id 68971
    published 2013-07-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68971
    title Debian DSA-2725-1 : tomcat6 - several vulnerabilities
  • NASL family Misc.
    NASL id ORACLE_SECURE_GLOBAL_DESKTOP_JAN_2014_CPU.NASL
    description The remote host has a version of Oracle Secure Global Desktop installed that is affected by multiple vulnerabilities : - Specially crafted requests sent with chunked transfer encoding could allow a remote attacker to perform a 'limited' denial of service attack on the Tomcat server. (CVE-2012-3544) - The Tomcat server is affected by a session fixation vulnerability in the FORM authenticator. (CVE-2013-2067) - The Apache Tomcat AsyncListener method is affected by a cross-session information disclosure vulnerability when handling user requests. (CVE-2013-2071) - The Administration Console and Workspace Web Applications subcomponent is affected by an unspecified, remote vulnerability. (CVE-2014-0419)
    last seen 2018-07-01
    modified 2018-06-29
    plugin id 72339
    published 2014-02-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72339
    title Oracle Secure Global Desktop Multiple Vulnerabilities (January 2014 CPU)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-1011.NASL
    description Red Hat JBoss Web Server 2.0.1, which fixes multiple security issues and several bugs, is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release serves as a replacement for Red Hat JBoss Web Server 2.0.0, and includes several bug fixes. Refer to the Red Hat JBoss Web Server 2.0.1 Release Notes for information on the most significant of these changes, available shortly from https://access.redhat.com/site/documentation/ The following security issues are also fixed with this release : Cross-site scripting (XSS) flaws were found in the Apache HTTP Server mod_proxy_balancer module's manager web interface. If a remote attacker could trick a user, who was logged into the manager web interface, into visiting a specially crafted URL, it would lead to arbitrary web script execution in the context of the user's manager interface session. (CVE-2012-4558) Cross-site scripting (XSS) flaws were found in the Apache HTTP Server mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp modules. An attacker could possibly use these flaws to perform XSS attacks if they were able to make the victim's browser generate an HTTP request with a specially crafted Host header. (CVE-2012-3499) A session fixation flaw was found in the Tomcat FormAuthenticator module. During a narrow window of time, if a remote attacker sent requests while a user was logging in, it could possibly result in the attacker's requests being processed as if they were sent by the user. (CVE-2013-2067) A denial of service flaw was found in the way the Tomcat chunked transfer encoding input filter processed CRLF sequences. A remote attacker could use this flaw to send an excessively long request, consuming network bandwidth, CPU, and memory on the Tomcat server. Chunked transfer encoding is enabled by default. (CVE-2012-3544) A flaw was found in the way the Tomcat 7 asynchronous context implementation performed request management in certain circumstances. If an application used AsyncListeners and threw RuntimeExceptions, Tomcat could send a reply that contains information from a different user's request, possibly leading to the disclosure of sensitive information. This issue only affected Tomcat 7. (CVE-2013-2071) Note: Do not install Red Hat JBoss Web Server 2 on a host which has Red Hat JBoss Web Server 1 installed. Warning: Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). All users of Red Hat JBoss Web Server 2.0.0 on Red Hat Enterprise Linux 5 are advised to upgrade to Red Hat JBoss Web Server 2.0.1. The JBoss server process must be restarted for this update to take effect.
    last seen 2018-07-01
    modified 2018-06-29
    plugin id 76237
    published 2014-06-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=76237
    title RHEL 5 : JBoss Web Server (RHSA-2013:1011)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS11_TOMCAT_20140401_2.NASL
    description The remote Solaris system is missing necessary patches to address security updates : - Apache Tomcat 6.x before 6.0.37 and 7.x before 7.0.30 does not properly handle chunk extensions in chunked transfer coding, which allows remote attackers to cause a denial of service by streaming data. (CVE-2012-3544) - java/org/apache/catalina/authenticator/FormAuthenticator .java in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the relationships between authentication requirements and sessions, which allows remote attackers to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack. (CVE-2013-2067)
    last seen 2018-07-01
    modified 2018-06-29
    plugin id 80792
    published 2015-01-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80792
    title Oracle Solaris Third-Party Patch Update : tomcat (multiple_vulnerabilities_in_tomcat)
  • NASL family Web Servers
    NASL id TOMCAT_6_0_37.NASL
    description According to its self-reported version number, the instance of Apache Tomcat 6.0 listening on the remote host is prior to 6.0.37. It is, therefore, affected by multiple vulnerabilities : - An error exists related to chunked transfer encoding and extensions that allows limited denial of service attacks. (CVE-2012-3544) - An error exists related to HTML form authentication and session fixation that allows an attacker to carry out requests using a victim's credentials. (CVE-2013-2067) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2018-07-01
    modified 2018-06-29
    plugin id 66426
    published 2013-05-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=66426
    title Apache Tomcat 6.0.x < 6.0.37 Multiple Vulnerabilities
redhat via4
advisories
  • bugzilla
    id 961779
    title CVE-2013-2067 tomcat: Session fixation in form authenticator
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhsa:tst:20100842001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhsa:tst:20100842002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20100842003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20100842004
    • OR
      • AND
        • comment tomcat6 is earlier than 0:6.0.24-57.el6_4
          oval oval:com.redhat.rhsa:tst:20130964005
        • comment tomcat6 is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110335006
      • AND
        • comment tomcat6-admin-webapps is earlier than 0:6.0.24-57.el6_4
          oval oval:com.redhat.rhsa:tst:20130964017
        • comment tomcat6-admin-webapps is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110335022
      • AND
        • comment tomcat6-docs-webapp is earlier than 0:6.0.24-57.el6_4
          oval oval:com.redhat.rhsa:tst:20130964009
        • comment tomcat6-docs-webapp is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110335020
      • AND
        • comment tomcat6-el-2.1-api is earlier than 0:6.0.24-57.el6_4
          oval oval:com.redhat.rhsa:tst:20130964011
        • comment tomcat6-el-2.1-api is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110335024
      • AND
        • comment tomcat6-javadoc is earlier than 0:6.0.24-57.el6_4
          oval oval:com.redhat.rhsa:tst:20130964007
        • comment tomcat6-javadoc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110335012
      • AND
        • comment tomcat6-jsp-2.1-api is earlier than 0:6.0.24-57.el6_4
          oval oval:com.redhat.rhsa:tst:20130964019
        • comment tomcat6-jsp-2.1-api is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110335008
      • AND
        • comment tomcat6-lib is earlier than 0:6.0.24-57.el6_4
          oval oval:com.redhat.rhsa:tst:20130964013
        • comment tomcat6-lib is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110335018
      • AND
        • comment tomcat6-servlet-2.5-api is earlier than 0:6.0.24-57.el6_4
          oval oval:com.redhat.rhsa:tst:20130964021
        • comment tomcat6-servlet-2.5-api is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110335010
      • AND
        • comment tomcat6-webapps is earlier than 0:6.0.24-57.el6_4
          oval oval:com.redhat.rhsa:tst:20130964015
        • comment tomcat6-webapps is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110335014
    rhsa
    id RHSA-2013:0964
    released 2013-06-20
    severity Moderate
    title RHSA-2013:0964: tomcat6 security update (Moderate)
  • rhsa
    id RHSA-2013:0833
  • rhsa
    id RHSA-2013:0834
  • rhsa
    id RHSA-2013:0839
  • rhsa
    id RHSA-2013:1437
rpms
  • tomcat6-0:6.0.24-57.el6_4
  • tomcat6-admin-webapps-0:6.0.24-57.el6_4
  • tomcat6-docs-webapp-0:6.0.24-57.el6_4
  • tomcat6-el-2.1-api-0:6.0.24-57.el6_4
  • tomcat6-javadoc-0:6.0.24-57.el6_4
  • tomcat6-jsp-2.1-api-0:6.0.24-57.el6_4
  • tomcat6-lib-0:6.0.24-57.el6_4
  • tomcat6-servlet-2.5-api-0:6.0.24-57.el6_4
  • tomcat6-webapps-0:6.0.24-57.el6_4
refmap via4
bid
  • 59799
  • 64758
bugtraq 20130510 [SECURITY] CVE-2013-2067 Session fixation with FORM authenticator
confirm
ubuntu USN-1841-1
Last major update 28-11-2016 - 14:09
Published 01-06-2013 - 10:21
Back to Top